On a perhaps not unrelated note, packeteer.com is offline (500 error). I would have thought Blue Coat would just 301 redirect it to Bluecoat.com but what do I know?

• Remote Login Utility – Use any that works with your OS. You can use Telnet or SSH. You might like SecureCRT for Windows, OpenSSH for Unix or use Terminal on OS X.

• Console Connection – Use a null-modem cable to hook directly to the shaper. Start your terminal emulation program (like Hyperterm). Configure Hyperterm for 9600 bps, 8 data bits, 1 stop bit, no parity, hardware flow control. Power on the shaper and then enter your password.

• Browser Interface (believe it or not) – Type in the shaper’s IP address in the browser address field followed by /cli.htm. The Command Interpreter will appear. This has limitations. You can’t use interactive commands that require user input or confirmation. You shouldn’t issue a command before the previous command has finished processing. The shaper will explode. (Not really)

You can get a complete list of commands at PacketGuide. Here are some of the most useful:

1. setup show – this is useful if you suspect a mis-configuration

2. version verbose – gives you the version, serial number, RAM, flash size, mac addresses, keys, and loaded plugins

3. ping -s n – Use this to determine if a particular host is reachable. s:continuous, n:limit the number of pings

   ex:Packetshaper# ping -s 172.16.0.1 5 (5 ICMP echo requests are sent to 172.16.0.1)

4. arp show – Helpful if PacketShaper is unable to reach services such as gateway DNS server, time server, etc. Device malfunctions, replacements, or rewiring may leave incorrect entries in the ARP table. Use the arp command to display or change entries to match real network conditions.

5. net nic – Look for the TxErrors and Rx Errors. If they increase each time you run the command, you should probably hard code the NIC speed. That usually fixes it.

6. host info -sf -n 20 – Displays the top 20 hosts with the most connections. This could be an indicator that someone is propagating a virus or worm. sf:sort hosts by new flows per minute n 20:limit list to 20 addresses

7. host show – Displays the top 20 bandwidth users sorted by their usage sr:sort hosts by current rate. n 20:limit list to 20 addresses

   If you suspect an infected host on the network: host info -sp -n 20 This will display the top 20 hosts that have the most failed flows in the last 1-minute. sp:sort on failed connections column n 20: limit the display to 20 hosts

8. traffic history find – Find what a particular user has been doing. ex. PacketShaper# tr hi find 172.17.22.100

9. traffic flow -tupla – Another look at what a user has been doing. t:show TCP flows u:show UDP flows p:show port numbers I:show non-idle flows a:show info for a specific address.

   If you see large amounts of unclassified traffic such as when the default bucket has a high 1 minute average or rapidly increasing class hits, then try this:

   traffic flow -tupIxc t:show TCP flows u:show UDP flows p:show port numbers I:show non-idle flows x:expand- show full class names c:only show info for a specific class

   That can also be used to find what type of traffic is currently active.

   Another good variation:traffic flow -to t:show TCP traffic o:overview – This gives you an overview of all TCP traffic.

   If you suspect a syn attack: *traffic flow -tiI will be helpful. You will see a ton flows of unknown service type and very few connections that are fully established.

   If you suspect IP spoofing or a DDOS attack: traffic active will tell you how many flows current active, what type they are, and how old they are. If you see a huge amount in a small amount of time (relative to your normal traffic of course) your network may be under attack.

10. traffic history recent [class] – This lets you find out which users are using an application. ex: Packetshaper# tr hi re inbound/http

11. net pna – Show network statistics. This is a useful overview to monitor for large-scale errors or unusual network conditions.

12. sys limits – Make sure you aren’t maxing out your available traffic classes or matching rules for your unit.

Suppose some of your employees have installed web proxy tools (such as proxifier, proxster, and proxyshare) that allow them to send traffic (such as KaZaA, Morpheus, and ICQ) through an HTTP tunnel. Since HTTP traffic (port 80) can get through the firewall, they are able to bypass the firewall rules. However, the PacketShaper is able to spot peer-to-peer traffic hiding inside an HTTP tunnel. The HTTP-Tunnel service automatically identifies and classifies traffic that is sent through an HTTP tunnel via an HTTP proxy server on the Internet. Once this traffic is classified, you can restrict this unsanctioned traffic by applying appropriate policies. (See Control Peer-to-Peer Downloads.)

This technique assumes all HTTP tunnel traffic is unsanctioned. But what if your website is using HTTP tunneling via a web proxy to secure outbound traffic via SSL? How can you limit the use of unsanctioned web proxies but still ensure the sanctioned ones are protected? The PacketShaper can easily handle both situations. Just create an IP-based class for the sanctioned proxies and set appropriate policies to protect the traffic flowing to and from sanctioned proxies. The unsanctioned web proxy traffic will get classified into the inbound/http-tunnel and outbound/http-tunnel classes that have the restrictive policies.

This and more information on using Packeteer to augment your security strategy can be found here.